Fragmentation considered vulnerable: Blindly intercepting and discarding fragments

Yossi Gilad, Amir Herzberg

Research output: Contribution to conferencePaperpeer-review

18 Scopus citations


We show that fragmented IPv4 and IPv6 traffic is vulnerable to DoS, interception and modification attacks by a blind (spoofing-only) attacker. We demonstrated a weak attacker causing over 94% loss rate and intercepting more than 80% of data between peers. All attacks are practical, and validated experimentally on popular industrial and open-source products, with realistic network setups (involving NAT or tunneling). The interception attack requires a zombie behind the same NAT or tunnel-gateway as the victim destination; the other attacks only require a puppet (adversarial applet/script in sandbox). The complexity of our attacks depends on the predictability of the IP Identifier (ID) field and are simpler for implementations, e.g. Windows, which use globally-incrementing IP IDs. Most of our effort went into extending the attacks for implementations, e.g. Linux, which use per-destination-incrementing IP IDs.

Original languageAmerican English
StatePublished - 2011
Externally publishedYes
Event5th USENIX Workshop on Offensive Technologies, WOOT 2011 - San Francisco, United States
Duration: 8 Aug 2011 → …


Conference5th USENIX Workshop on Offensive Technologies, WOOT 2011
Country/TerritoryUnited States
CitySan Francisco
Period8/08/11 → …

Bibliographical note

Publisher Copyright:
© 2011 USENIX Association. All rights reserved.


Dive into the research topics of 'Fragmentation considered vulnerable: Blindly intercepting and discarding fragments'. Together they form a unique fingerprint.

Cite this